NeuroAgent

Fix APS Viewer 404 Authorization Error

Learn how to fix the 404 authorization error when viewing previously translated models in APS Viewer. Discover solutions for token scope issues, regional configuration problems, and authentication method changes affecting older URNs.

#404-authorization-error#autodesk-aps-viewer#autodesk-authentication#model-derivative-service#regional-configuration#token-scope-issues#urn-authorization

Error 404 When Viewing Previously Translated Models in APS Viewer

All previously translated models across all environments (development, staging, and production) are returning error 404 with the message “x-ads-troubleshooting: Fail to authorize the input URN. Either the object doesn’t exist or you don’t have permission to view the object” when accessed in the APS Viewer.

Problem Details:

  • Models were created at different times, including production models that had been online for over a year
  • New models can be viewed successfully
  • The issue specifically affects models translated before the recent change
  • Access to views, tree, and properties of translated models still works normally

Technical Information:

  • Error: 404
  • Error Message: “x-ads-troubleshooting: Fail to authorize the input URN. Either the object doesn’t exist or you don’t have permission to view the object”

Can someone help diagnose this issue and explain what might be causing this authorization problem with previously translated models?

NeuroAgent

The 404 authorization error you’re experiencing with previously translated models in the APS Viewer is likely related to recent changes in Autodesk’s authentication system and API requirements. This issue appears to be affecting older models due to either token scope limitations, regional configuration changes, or the deprecation of older authentication methods that were used when those models were originally translated.

Contents

Understanding the Root Cause

The error message “x-ads-troubleshooting: Fail to authorize the input URN. Either the object doesn’t exist or you don’t have permission to view the object” indicates an authorization issue rather than a missing resource. Since new models work fine but older ones don’t, this suggests a change in how authorization is handled for existing URNs.

According to recent Autodesk documentation, several factors could be contributing to this issue:

  1. Authentication Method Changes: Autodesk deprecated the V1 authentication method on April 30, 2024, which may have affected how older tokens are validated [source].

  2. Token Scope Requirements: The error often occurs when access tokens don’t have the required scopes. For viewing translated models, you typically need scopes like data:read and data:write [source].

  3. Regional API Endpoints: If your bucket or ACC account is in the EU region (EMEA), you need to use the streamingV2_EU endpoint instead of the standard api endpoint [source].

  4. URN Format Changes: The way URNs are generated and validated may have changed, affecting older URNs that were created under previous API versions.

Authentication System Changes

Autodesk made significant changes to its authentication system in 2024 that directly impact how URNs are authorized. The most critical change was the deprecation of the V1 authentication method.

Authentication V1 Deprecation

  • Timeline: V1 authentication was completely disabled on April 30, 2024
  • Impact: Applications relying on V1 tokens may fail to authenticate for older URNs
  • Solution: All applications must now use V2 authentication with proper scope definitions

“Currently, Autodesk offers two authentication versions, but come April 30, 2024, the ‘V1’ method will no longer be supported.” [source]

Token Scope Evolution

The Model Derivative service now requires more specific scopes:

javascript
// Insufficient scope (may cause 404 for older URNs)
const scopes = ['bucket:create']; 

// Required scopes for viewing translated models
const requiredScopes = [
  'data:read',
  'data:write',
  'bucket:read',
  'bucket:create'
];

When models were originally translated, they may have been created with tokens that had different or more limited scopes than what’s now required for viewing [source].

Common Causes and Solutions

Cause 1: Missing or Expired Tokens

Problem: Older URNs were created with tokens that are now expired or have insufficient scopes.

Solution: Regenerate tokens with the correct scopes:

javascript
// Generate new token with proper scopes for viewing
const auth = new TwoLeggedAuth();
auth.setScopes(['data:read', 'data:write', 'bucket:read']);
const token = await auth.fetchToken();

Cause 2: Manifest Endpoint Issues

Problem: The /modeldata/manifest/ endpoint is returning 401 errors for older URNs.

Solution: Verify the URN is properly encoded and the token has the right permissions:

javascript
// Ensure URN is properly encoded
const encodedUrn = Base64Encode(urn);
const manifest = await derivativesApi.GetManifestAsync(encodedUrn);

Cause 3: Translation Status Issues

Problem: Older models may not have been fully translated or their derivatives may have been corrupted.

Solution: Check the translation job status and retranslate if necessary:

javascript
// Check translation status
const jobStatus = await derivativesApi.GetJobStatusAsync(jobId);
if (jobStatus.status === 'success') {
  // Proceed with viewing
} else {
  // Retranslate the model
}

Regional Configuration Issues

If your Autodesk Construction Cloud (ACC) or BIM 360 account is hosted in the EU region, you’ve likely encountered regional-specific issues with the streaming endpoints.

EU Regional Configuration

The standard api endpoint doesn’t work for EMEA regions. You must use the regional endpoint:

javascript
// Incorrect for EU/EMEA regions
const config = {
  api: 'https://developer.api.autodesk.com'
};

// Correct for EU/EMEA regions
const config = {
  api: 'https://developer.api.autodesk.com/streamingV2_EU'
};

“In case your OSS bucket or BIM360/ACC account is from the EU region (EMEA), please replace the api value with ‘streamingV2_EU’” [source]

Regional Testing Steps

  1. Identify your account’s geographic region
  2. Verify your API endpoint configuration matches the region
  3. Test with both endpoints to determine which works
  4. Update your application configuration accordingly

Troubleshooting Steps

Step 1: Verify Token Scopes

Check that your access token includes all required scopes:

  1. Generate a new token with comprehensive scopes
  2. Decode the token to verify its contents
  3. Test the token with a known-working model first

Step 2: Check URN Authorization

Manually test URN authorization:

bash
# Test URN authorization via curl
curl -X GET \
  'https://developer.api.autodesk.com/modelderivative/v2/designdata/{encoded_urn}/manifest' \
  -H 'Authorization: Bearer {your_token}' \
  -H 'Content-Type: application/json'

Step 3: Validate Regional Settings

Confirm your regional configuration:

  • Check if your bucket is in EU/EMEA region
  • Verify your API endpoint uses the correct regional suffix
  • Test with both standard and regional endpoints

Step 4: Check Model Translation Status

Verify the translation completion status:

javascript
// Check if translation completed successfully
const jobStatus = await derivativesApi.GetJobStatusAsync(translationJobId);
console.log('Translation status:', jobStatus.status);

Step 5: Update Authentication Method

Ensure you’re using V2 authentication:

javascript
// V2 Authentication implementation
const authClient = new AuthenticationClientTwoLegged();
const credentials = {
  client_id: process.env.AUTODESK_CLIENT_ID,
  client_secret: process.env.AUTODESK_CLIENT_SECRET,
  scope: 'data:read data:write bucket:read bucket:create'
};

Preventive Measures

1. Regular Token Refresh

Implement automatic token refresh to prevent expiration issues:

javascript
// Token refresh logic
async function ensureValidToken() {
  const tokenExpiry = new Date(tokenInfo.expiry * 1000);
  const now = new Date();
  
  if (tokenExpiry - now < 5 * 60 * 1000) { // 5 minutes buffer
    await refreshToken();
  }
}

2. Comprehensive Scope Management

Always request the most comprehensive scopes available:

javascript
// Recommended scope set for production
const productionScopes = [
  'data:read',
  'data:write',
  'bucket:read',
  'bucket:create',
  'bucket:delete',
  'data:create',
  'data:search'
];

3. Regional Configuration Management

Create a regional configuration system:

javascript
// Regional configuration helper
const getRegionalEndpoint = (region) => {
  const endpoints = {
    'US': 'https://developer.api.autodesk.com',
    'EU': 'https://developer.api.autodesk.com/streamingV2_EU',
    'APAC': 'https://developer.api.autodesk.com/streamingV2_APAC'
  };
  return endpoints[region] || endpoints['US'];
};

4. Monitoring and Alerting

Set up monitoring for authorization errors:

javascript
// Error monitoring implementation
const viewerErrorHandler = (error) => {
  if (error.status === 404 && error.message.includes('Fail to authorize')) {
    // Log and alert for URN authorization issues
    console.error('URN Authorization Error:', error);
    sendAlert('URN authorization error detected');
  }
};

Conclusion

The 404 authorization error with previously translated models in APS Viewer is primarily caused by recent authentication system changes, token scope limitations, and regional configuration issues. Key takeaways include:

  1. Update Authentication: Ensure all applications use V2 authentication with comprehensive scopes like data:read, data:write, and bucket:read

  2. Check Regional Settings: If using EU/EMEA regions, configure your API endpoint to use streamingV2_EU instead of the standard endpoint

  3. Regenerate Tokens: Create new access tokens with the required scopes for viewing existing URNs

  4. Monitor Translation Status: Verify that older models were successfully translated and their derivatives are intact

  5. Implement Preventive Measures: Set up regular token refresh, comprehensive scope management, and error monitoring

For immediate resolution, focus on regenerating tokens with the correct scopes and verifying your regional configuration. If the issue persists, consider retranslating affected models using the current API requirements.

Sources

  1. Autodesk Platform Services - 401 Unauthorized / 403 Forbidden
  2. Stack Overflow - Autodesk Viewer stopped working - returns 401 on /modeldata/manifest/
  3. Autodesk Platform Services - Getting 404 resource not found error in viewer
  4. Blog - Important Update: Autodesk Authentication Changes Coming April 30, 2024
  5. Autodesk Platform Services - Authentication API V2 update
  6. Autodesk Platform Services - Generating Access Tokens and Model URNs
How to update authentication from V1 to V2 for Autodesk APS Viewer?What are the required token scopes for viewing translated models in Autodesk?How to configure EU regional endpoints for Autodesk Model Derivative API?Why do new models work but old models return 404 in APS Viewer?How to check and fix translation status for existing model URNs?What preventive measures can avoid 404 authorization errors in Autodesk Viewer?
Ask NeuroAgent